This FAQs is specifically for how businesses can implement and benefit from VoiceProtect. To learn more about user benefits and how the system works, visit our general FAQs
VoiceProtect provides a programmable intermediary service between your website and your users or employees.
Our intermediary service ensures any message sent to employees or users cannot be read until the user successfully passes all three factors: something they have (their phone), something they know (their passcode), and something they are (voice). Our patent-pending product is the first turnkey 3-factor solution available to businesses that can be implemented, depending on desired configuration, in a matter of hours.
The service is programmable because it enables businesses to specify what message is sent, which affects strength of authentication. For example a business can send a standard access code or send a temporary URL. A temporary URL provides extra protection against phishing hacks (explained in the next FAQ).
Please also read our general FAQs where we provide details how the system works and ensures security (and privacy) of users.
Businesses should leverage VoiceProtect to better protect employees and users against critical flaws with existing single factor and two-factor authentication, which cause millions to get hacked each year.
VoiceProtect can be used for the following use cases:
If your business already offers SMS 2-factor authentication, our service enables eliminating the risk of SMS codes getting intercepted by hackers due to SIM card porting.
If your business doesn’t use 2-factor authentication, implement 3-factor authentication as a service for stronger authentication without the vulnerabilities of 2-factor alternatives: risk of SIM porting and need for backup codes with Authenticator apps (like Google) and security keys.
Protect users and employees against phishing. When hackers send a fake link, they mirror on your real site what the recipient inputs into the fake site. This allows hackers to bypass SMS 2-factor authentication as well as Authenticator apps. Our programmable approach lets you send a temporary URL instead, which recipients only see after they pass all 3 factors. Since this avoids the intended recipient to input anything into your site, it creates a dead-end for hackers.
Completely offload password storage by eliminating passwords for your website. Instead use our service to manage the full authentication process. When users login, they just need to enter their username. Using our API, you then send us a UUID associated with the username. After they successfully pass all 3 factors, we advise via the API (or alternatively if they fail). This is more secure than services that provide email authentication since email is often compromised by hackers.
There are different configurations that affect how much effort is required to implement VoiceProtect.
For #1 above where you already use SMS 2-factor authentication, no integration or changes to the website are needed. You just need to assign a VoiceProtect phone number to each employee or user.
For #2 above where you do not offer SMS 2-factor authentication, a process would be needed to request and store users’ VoiceProtect phone numbers (so that an access code can be sent to VoiceProtect) as well as enable users to enter the access code on your site.
For #3, to protect against phishing a temporary URL needs to be sent to VoiceProtect and you must change your authentication process that supports this URL (and creates a dead-end).
For #4, to completely offload password storage our API would need to be implemented.
There are other implementation options as well. Please contact us at email@example.com to discuss.
If you implement our API, there is no need for a VoiceProtect phone number.
If do not use our API, VoiceProtect phone numbers are required. We lockdown VoiceProtect phone numbers to be only usable for your service. Employees or users cannot use the number for any other online service.
If you use our API, we would provide an enrollment link where employees/users enroll, which allows us to connect employees/users to a UUID.
If you use VoiceProtect phone numbers there are 2 ways to enroll them. The first is you send us a flat file with all the phone numbers of your employees or users. We then send an SMS asking them to link their voice and issue them a VoiceProtect phone number that is exclusive to your business. We will send back a flat file with a corresponding VoiceProtect phone number for each phone number.
The second way is to send them a special link we provide you to our service. When they click, we request their phone number and enroll them, which is same as the consumer version of VoiceProtect except the VoiceProtect phone numbers we issue are exclusively for your service. Users then need to manually enter their VoiceProtect phone number for your service’s SMS 2-factor authentication (or a special page you create for employees or users to enter if you do not offer SMS 2-factor authentication).
No unlike a mobile phone number, VoiceProtect phone number are not meant to be shared with anyone. The VoiceProtect is not listed in any directory and is not associated with your identity in any way, so it can not be ported to another carrier. It is truly a private number that you should only use for online security purposes (we strongly recommend this). A hacker won’t even know to look for this number nor know whose identity it relates to, and therefore porting has zero value.
Second, we place a lock on each phone number so that it can’t be ported out of VoiceProtect.
Third, the VoiceProtect number is constantly monitored for any changes in ownership or forwarding or functionality. And the number is set up to receive monitoring messages. When messages received, we check that the data is correct as well as the sender of the message. If the data or sender are incorrect, we trigger an alarm. This type of monitoring cannot be done with a phone number associated with a cell phone as regular monitoring messages will bother you as there is no way to manually verify the correctness of the monitoring message.
In this day and age we realize security is hard. It is why we created VoiceProtect: to offload the heavy lifting for businesses so they don’t have to build from scratch or rely on approaches with well-known vulnerabilities.
This question has 2 parts: how well does VoiceProtect work and how secure is VoiceProtect. In terms of how well it works, we use 3 factors in the authentication process, which security professionals strongly recommend for online authentication. The combination of all 3 factors makes our system more secure than other approaches. Plus the programmability of our solution enables businesses to mitigate strategies hackers commonly use.
We are the first service that offers all 3 factors turnkey and make it is easy for your business to implement. Plus is less costly than products like hardware-based security keys, which have a vulnerability with backup codes. Plus security keys aren’t practical if you need to support a large userbase (which involves managing situations where they lose security keys or backup codes, cost of replacing security keys, etc).
As for the question whether the data we maintain is secure from hackers, first the only information we take for each user is a phone number and voiceprint (no other personal identifying information). This data is stored in a decentralized manner to ensure the highest level of security and privacy; phone numbers are encrypted and stored with Phone.com while voiceprints are encrypted and stored with SecondMind. Each data is connected by an encrypted random identifier. This decentralization creates a much more secure model versus if the data is stored in one location.